I have to implement a solution at an existing premises for client, and would like some opinions on VLAN's. Unfortunately I have almost no experience when it comes to one of Mikrotik's most powerful features, VLAN!
After reading many posts, I tried to combine what I've read, and I decided on marked routing, as this would be the easiest way to route a set criteria, such as an IP range, to a specific interface.
However, I need to (and correct me if I'm wrong) use VLAN tagging, as between the Client's wireless access points, and the soon to be installed Mikrotik router, is an unmanged switch, so obviously I can't trunk.
Please can all who is experienced with VLAN's, please comment on my config below, and advise if what I've done will work, and whether it's the best approach, any comments would be appreciated!
Simple diagram:
Opjective:
SSID 1 <<==VLAN 20==>> VPN(SSTP) <<==PPPoE==>> DSL aka "VPN Traffic"
SSID 2 <<==VLAN 10==>>LTE aka "Normal Traffic"
Description:
Several wireless access points, broadcast multiple SSID's (SSID 1 and SSID 2), whilst connecting back to an unmanaged switch, which has a single Ethernet connection to the Mikrotik router. Data between the two SSID's must not be permitted, except for one host, which must be accessible for both SSID's.
These SSID's will have VLAN ID's attached to them (Draytek/Ubiquiti AP's, as well as the same SSID's on the Mikrotik iteself).
On the Mikrotik router, there will be two WAN interfaces, ETH 1 and ETH 2. (a DSL modem, and LTE router), and an SSTP connection which must use the DSL interface.
SSID 1 (VLAN 20) will have it's own IP range, and SSID 1's clients must use the SSTP VPN for their internet.
SSID 2 (VLAN 10) will have it's own IP Range, and SSID 2's clients must use the LTE interface as for their internet.
Possible Solution
============
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 Bridge_VLAN10_NormalTraf
1 192.168.2.1/24 192.168.2.0 Bridge_VLAN20_VPN
2 D 10.1.240.10/24 10.1.240.0 INT_ETH1_ADSL
[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="Bridge_VLAN10_NormalTraf" mtu=auto actual-mtu=1500 l2mtu=1598
arp=enabled mac-address=D4:CA:6D:94:25:48 protocol-mode=rstp
priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:94:25:48
max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m
1 R name="Bridge_VLAN20_VPN" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled
mac-address=D4:CA:6D:94:25:49 protocol-mode=rstp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
2 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled
mac-address=D4:CA:6D:94:25:4A protocol-mode=rstp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE ADDRESS-POOL LEASE-TIME ADD-ARP
0 default Bridge_VLAN10_NormalTraf DHCP-Master 10m
1 VLAN_VPN_DHCP Bridge_VLAN20_VPN VLAN_VPN_DHCP-Pool 10m
[admin@MikroTik] > /interface ethernet switch vlan print
Flags: X - disabled, I - invalid
# SWITCH VLAN-ID PORTS
0 switch1 20 ether3
1 switch1 10 ether3
NOTE: ETH3 is the cable that is coming from the unmanaged switch.
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
0 INT_ETH1_ADSL switch1 disabled leave-as-is auto
1 INT_ETH2_LTE switch1 disabled leave-as-is auto
2 ether3 switch1 check leave-as-is auto
3 ether4 switch1 disabled leave-as-is auto
4 ether5 switch1 disabled leave-as-is auto
5 switch1-cpu switch1 disabled leave-as-is auto
[admin@MikroTik] > /ip firewall filter pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=""
1 I ;;; default configuration
;;; ADSL not ready
chain=input action=drop in-interface=ADSL log=no log-prefix=""
2 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""
3 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no log-prefix=""
4 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
5 I ;;; default configuration
;;; ADSL not ready
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ADSL log=no log-prefix=""
6 chain=forward action=drop src-address=192.168.88.0/24 dst-address=192.168.2.0/24 log=no log-prefix=""
7 chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""
NOTE: Preventing Inter-VLAN routing.
8 I ;;; VPN_1 not ready
chain=forward action=accept src-address=192.168.2.0/24 out-interface=VPN_1 log=no log-prefix=""
9 chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
[admin@MikroTik] /ip firewall> mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=mark-routing new-routing-mark=SSTP-OUT passthrough=no protocol=tcp dst-port=443 log=no log-prefix=""
NOTE: I want the SSTP connection to dial out via the DSL interface.
1 chain=prerouting action=mark-routing new-routing-mark=VPN passthrough=no src-address=192.168.2.0/24 log=no log-prefix=""
2 chain=prerouting action=mark-routing new-routing-mark=LTE passthrough=no src-address=192.168.88.0/24 log=no log-prefix=""
[admin@MikroTik] /ip firewall> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhol
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 ADSL 1
1 S 0.0.0.0/0 VPN_1 1
2 A S 0.0.0.0/0 INT_ETH2_LTE 1
3 S 0.0.0.0/0 ADSL 1
4 S 0.0.0.0/0 INT_ETH1_ADSL 1
5 ADS 0.0.0.0/0 10.1.240.1 1
6 ADC 10.1.240.0/24 10.1.240.10 Bridge_VLAN10_N... 0
7 ADC 192.168.2.0/24 192.168.2.1 Bridge_VLAN20_VPN 0
8 ADC 192.168.88.0/24 192.168.88.1 Bridge_VLAN10_N... 0
9 S 208.64.38.55/32 VPN_1 1
============
Config:
http://pastebin.com/aWH12cvD